apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: ks-account
    tier: backend
    version: advanced-2.0.0
  name: ks-account
  namespace: kubesphere-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ks-account
      tier: backend
      version: advanced-2.0.0
  template:
    metadata:
      labels:
        app: ks-account
        tier: backend
        version: advanced-2.0.0
    spec:
      serviceAccount: kubesphere
      serviceAccountName: kubesphere
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
        - key: CriticalAddonsOnly
          operator: Exists
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: node-role.kubernetes.io/master
                operator: In
                values:
                - "" 
      volumes:
      - configMap:
          defaultMode: 420
          name: policy-rules
        name: policy-rules
      - name: ca-dir
        secret:
          defaultMode: 420
          secretName: kubesphere-ca
      - configMap:
          defaultMode: 420
          name: user-init
        name: user-init
      initContainers:
      - name: wait-redis
        image: {{ busybox_repo }}:{{ busybox_tag }}
        imagePullPolicy: IfNotPresent
        command: ['sh', '-c', 'until nc -z redis.kubesphere-system.svc 6379; do echo "waiting for redis"; sleep 2; done;']
      - name: wait-ldap
        image: {{ busybox_repo }}:{{ busybox_tag }}
        imagePullPolicy: IfNotPresent
        command: ['sh', '-c', 'until nc -z openldap.kubesphere-system.svc 389; do echo "waiting for ldap"; sleep 2; done;']
      containers:
      - command:
        - ks-iam
        - --v=4
        - --logtostderr=true
        - --devops-database-connection=root:password@tcp(openpitrix-db.openpitrix-system.svc:3306)/devops
        - --ldap-server=openldap.kubesphere-system.svc:389
        - --redis-server=redis.kubesphere-system.svc:6379
        - --ldap-manager-dn=cn=admin,dc=kubesphere,dc=io
        - --ldap-manager-password=$(LDAP_PASSWORD)
        - --ldap-user-search-base=ou=Users,dc=kubesphere,dc=io
        - --ldap-group-search-base=ou=Groups,dc=kubesphere,dc=io
        - --jwt-secret=$(JWT_SECRET)
        - --admin-password=P@88w0rd
        - --token-expire-time=0h
        - --jenkins-address=http://ks-jenkins.kubesphere-devops-system.svc/
        - --jenkins-password={{ ks_token_str }}
        - --master-url={{ kube_apiserver_host }}
        env:
        - name: KUBECTL_IMAGE
          value: {{ ks_kubectl_repo }}:{{ ks_kubectl_tag }}
        - name: JWT_SECRET
          valueFrom:
            secretKeyRef:
              key: jwt-secret
              name: ks-account-secret
        - name: LDAP_PASSWORD
          valueFrom:
            secretKeyRef:
              key: ldap-admin-password
              name: ks-account-secret
        volumeMounts:
        - mountPath: /etc/kubernetes/pki
          name: ca-dir
        - mountPath: /etc/ks-iam
          name: user-init
        - mountPath: /etc/kubesphere/rules
          name: policy-rules
        image: {{ ks_account_repo }}:{{ ks_account_tag }}
        imagePullPolicy: {{ ks_image_pull_policy }}
        name: ks-account        
        ports:
        - containerPort: 9090
          protocol: TCP
        resources:
          limits:
            cpu: {{ ks_account_cpu_limit }}
            memory: {{ ks_account_memory_limit }}
          requests:
            cpu: {{ ks_account_cpu_requests }}
            memory: {{ ks_account_memory_requests }}


---

apiVersion: v1
kind: Service
metadata:
  labels:
    app: ks-account
    tier: backend
    version: advanced-2.0.0
  name: ks-account
  namespace: kubesphere-system
spec:
  ports:
  - name: ks-account
    port: 80
    protocol: TCP
    targetPort: 9090
  selector:
    app: ks-account
    tier: backend
    version: advanced-2.0.0
  sessionAffinity: None
  type: ClusterIP

